[bdNOG] DHCP Lease and Network Problem Help (Mohammad Shahjahan)
Brian Candler
brian at nsrc.org
Thu Dec 10 14:36:34 BDT 2015
On 10/12/2015 02:42, Mohammad Shahjahan wrote:
> Thank you so much for your cordial help. Your are right the access
> list wont work because our network provide dhcp lease through a layer
> 3 switch with several vlan's with ip helper address (192.168.1.1) as said.
>
> But there are no options to change helper ip address that because
> there are lots of routing issue with other country's.
>
> So, that's why i think there are no hope to stop using GATEWAY IP
> ADDRESS in android mobile user. We have to think about another
> internet policy.
I don't really follow you.
Issues with how you configure your DHCP service, and issues with users
manually configuring their own IP address to be the same as the subnet's
gateway address, are two completely different things.
"there are no options to change helper ip address that because there are
lots of routing issue with other country's"
I don't follow that either. The ip helper address configuration is
entirely local to your network and is invisible both to the end-users
and to the rest of the Internet. It just tells the router where to
forward DHCP broadcasts to. It has nothing to do with global Internet
routing.
There is a presentation here which includes a diagram showing how DHCP
helper works:
https://nsrc.org/workshops/2015/renu-cnd/raw-attachment/wiki/Agenda/08.1_Network_Migration.pdf
Now: if you decide to make your DHCP service more resilient by adding a
second DHCP server, you just add this into your network, and you add a
second "ip helper-address" statement onto every VLAN. This is just a
change made locally on your L3 switch. Like I say, no impact on routing.
The second problem is what happens if someone statically configures an
IP address on their machine, and that IP address conflicts with another
IP address in use. Worst case scenario, it conflicts with the router's
IP address on that subnet.
I suggest that:
1. If you have a reliable DHCP service, there is no need for users to
statically configure an address, ever. And once they trust the DHCP
service, they won't even bother trying.
2. You can tell your users the policy is that they must use DHCP and are
forbidden to configure addresses statically
3. You might be able to enforce this policy at the switch (e.g. using IP
tracking) but it depends exactly what sort of switches and features you
have available
4. You can monitor and detect when this problem occurs, and take action
against the offender
But I believe that this will become very rare once you have dependable
DHCP service.
You don't necessarily have to go with two DHCP servers. Other options
would include making your single DHCP server more reliable (e.g. dual
power supplies, connected to UPS); or you can run your DHCP service
directly on the L3 switch itself, although that makes it less easy to
manage, e.g. when you want to add a static mapping from MAC address to
IP address.
But having two DHCP servers is a relatively cheap and simple solution;
also they can be plugged into different switches or different ports on
your L3 switch, so you gain redundancy against more types of failure.
And if you run your caching DNS service on the same two boxes then you
get resilient DNS as well.
Regards,
Brian.
More information about the nog
mailing list